To comply with section 6.9 - 6.12 of the Academies Financial Handbook, Multi-Academy Trusts (MATs) must be aware of the risk of fraud, theft and irregularity. Cyber security is specifically referenced by the Education & Skills Funding Agency (ESFA) as a concern that must be managed, requiring Trusts to be vigilant and proactive in relation to cyber crime. This blog provides further guidance on your MATs responsibilities for compliance with the Handbook and data protection and related law.
In a recent report of cases handled by the Information Commissioner's Office (ICO) in relation to schools (May 2018 - May 2019), 24 per cent of cases were the result of a security incident e.g. when a school reported or were reported for cyber crime, or fraud-related data breaches. Nationally, there have been well-documented cases where schools have been victims of cyber crime. Back in March 2019, the BBC News reported on the unfortunate case of Bridport School who ended up losing GCSE coursework due to a cyber attack. Around the same time, Schools Week reported about data from the ICO showing that the number of cyber-attacks on schools has risen by 69 per cent in a year. Between July and September 2017, there were 26 such reports. In the same period in 2019, there were 44.
The law is clear that Boards of Governors have the same level of responsibility for protecting schools from cyber crime as a Board of Directors of any company e.g. Facebook, Google, British Airways (some of these not very successfully...). The recent ‘Cyber Security Toolkit for Boards’ from the National Cyber Security Centre (NCSC), specifically highlights ‘Board of Governors’ as those who are accountable for improving and governing cyber security risks to the same degree of importance as they would for other organisational risks, such as with safeguarding, or more recent obligations towards the UK's Data Protection Act 2018.
Five strategic questions for education providers
The ESFA highlights that academy trust audit committees should follow a five step approach as a starting point for considering cyber risks in the trust:
1. Information Held
Does the school have a clear and common understanding of the range of information assets it holds and those that are critical to the business?
Does the school have a clear understanding of cyber threats and vulnerabilities?
3. Risk Management
Is the school proactively managing cyber risks as an integrated facet of broader risk management including scrutiny of security policies, technical activity, user education and testing and monitoring regimes against an agreed risk appetite?
4. Aspects of Risk
Does the school have a balanced approach to managing cyber risk that considers people (culture, behaviours and skills), process, technology and governance to ensure a flexible and resilient cyber security response
5. Governance Oversight
Does the school have sound governance processes in place to ensure that actions to mitigate threats and maximise opportunities in the cyber environment are effective?
Evidencing Cyber Security Protections for your Audit Committee & Board of Governors
Importantly, the ESFA identifies the requirements for audit committees to demonstrate the ‘quality of evidence underpinning assurances provided by management’ when assessing the risks. This guidance encourages audit committees to assess and gain assurance through the completion of the NCSC’s 10-Steps to Cyber Security. This framework is the starting point for Cyber Essentials certification which is a mandated requirement for all public sector bodies and any organisation wishing to conduct business with the public sector.
For any concerns about cyber security at your school: